Analysis Overview
SHA256
1e712ef0a37d9e8d2f6ef512da2438ef05e073cde9ae6677858b9ebbd1c23b2b
Threat Level: Known bad
The file SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe was found to be: Known bad.
Malicious Activity Summary
BluStealer
Accesses Microsoft Outlook profiles
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
outlook_office_path
outlook_win_path
Script User-Agent
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-04-26 09:31
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-04-26 09:31
Reported
2023-04-26 09:33
Platform
win7-20230220-en
Max time kernel
65s
Max time network
34s
Command Line
Signatures
BluStealer
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1324 set thread context of 520 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe |
| PID 520 set thread context of 2040 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe"
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Network
Files
memory/1324-54-0x00000000010F0000-0x000000000120A000-memory.dmp
memory/1324-55-0x0000000004A20000-0x0000000004A60000-memory.dmp
memory/1324-56-0x00000000005A0000-0x00000000005B2000-memory.dmp
memory/1324-57-0x0000000004A20000-0x0000000004A60000-memory.dmp
memory/1324-58-0x0000000000A40000-0x0000000000A4C000-memory.dmp
memory/1324-59-0x0000000005930000-0x00000000059DC000-memory.dmp
memory/1324-60-0x00000000054F0000-0x0000000005566000-memory.dmp
memory/520-61-0x0000000000400000-0x000000000046E000-memory.dmp
memory/520-62-0x0000000000400000-0x000000000046E000-memory.dmp
memory/520-63-0x0000000000400000-0x000000000046E000-memory.dmp
memory/520-65-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/520-66-0x0000000000400000-0x000000000046E000-memory.dmp
memory/520-68-0x0000000000400000-0x000000000046E000-memory.dmp
memory/2040-71-0x0000000000090000-0x00000000000F6000-memory.dmp
memory/2040-72-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp
memory/520-74-0x0000000000400000-0x000000000046E000-memory.dmp
memory/2040-73-0x0000000000090000-0x00000000000F6000-memory.dmp
memory/2040-76-0x0000000000090000-0x00000000000F6000-memory.dmp
memory/2040-78-0x0000000000090000-0x00000000000F6000-memory.dmp
memory/2040-79-0x0000000000EC0000-0x0000000000F7C000-memory.dmp
memory/520-80-0x0000000000400000-0x000000000046E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-04-26 09:31
Reported
2023-04-26 09:33
Platform
win10v2004-20230220-en
Max time kernel
143s
Max time network
131s
Command Line
Signatures
BluStealer
Accesses Microsoft Outlook profiles
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
| Key opened | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1476 set thread context of 3888 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe |
| PID 3888 set thread context of 3776 | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe |
Enumerates physical storage devices
Script User-Agent
| Description | Indicator | Process | Target |
| HTTP User-Agent header | Mozilla/4.0 (compatible; Win32; WinHttp.WinHttpRequest.5) | N/A | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe | N/A |
Suspicious use of WriteProcessMemory
outlook_office_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
outlook_win_path
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676 | C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe"
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe"
C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe
"C:\Users\Admin\AppData\Local\Temp\SecuriteInfo.com.Win32.RATX-gen.24211.32173.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| IE | 20.54.89.15:443 | tcp | |
| US | 8.8.8.8:53 | 26.165.165.52.in-addr.arpa | udp |
| US | 13.89.179.10:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 2.36.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 63.13.109.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | api.telegram.org | udp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| NL | 149.154.167.220:443 | api.telegram.org | tcp |
| US | 8.8.8.8:53 | 220.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.249.124.192.in-addr.arpa | udp |
| US | 93.184.221.240:80 | tcp | |
| NL | 173.223.113.164:443 | tcp | |
| NL | 173.223.113.131:80 | tcp | |
| US | 204.79.197.203:80 | tcp |
Files
memory/1476-133-0x0000000000510000-0x000000000062A000-memory.dmp
memory/1476-134-0x00000000055A0000-0x0000000005B44000-memory.dmp
memory/1476-135-0x0000000004FF0000-0x0000000005082000-memory.dmp
memory/1476-136-0x00000000054D0000-0x00000000054DA000-memory.dmp
memory/1476-137-0x0000000004F90000-0x0000000004FA0000-memory.dmp
memory/1476-138-0x0000000004F90000-0x0000000004FA0000-memory.dmp
memory/1476-139-0x0000000007230000-0x00000000072CC000-memory.dmp
memory/3888-140-0x0000000000400000-0x000000000046E000-memory.dmp
memory/3888-143-0x0000000000400000-0x000000000046E000-memory.dmp
memory/3888-146-0x0000000000400000-0x000000000046E000-memory.dmp
memory/3776-147-0x0000000000580000-0x00000000005E6000-memory.dmp
memory/3888-149-0x0000000000400000-0x000000000046E000-memory.dmp